Spring HTTP Strict Transport Security Guide

# Spring HTTP Strict Transport Security Guide 1. demo site 1. ![](https://i.imgur.com/9f2RsqF.png) 2. generate, download, unzip, cd 3. docker run -it --rm --name my-maven-project -v "$(pwd)":/usr/src/mymaven -w /usr/src/mymaven maven:3.9.0-eclipse-temurin-17 mvn clean install 4. java -jar target/demo-0.0.1-SNAPSHOT.jar 5. get generated security password 6. visit http://localhost:8080 with username user and generated password 7. ![](https://i.imgur.com/xFBcaE5.png) 2. index page 1. create src/main/java/com/example/demo/controller/WebController.java ```java package com.example.demo.controller; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class WebController { @RequestMapping(value = "/index") public String index() { return "index"; } } ``` 2. create src/main/resources/templates/index.html ```html <!DOCTYPE html> <html> <head> <meta charset = "ISO-8859-1" /> <title>Spring Boot Application</title> </head> <body> <h4>Welcome to Thymeleaf Spring Boot web application</h4> </body> </html> ``` 3. repeat 1.3 ~ 1.6 4. ![](https://i.imgur.com/yEygz8G.png) 3. https 1. create self-signed keystore: demo.keystore ```dos keytool -genkeypair -alias demo -keyalg RSA -keystore demo.keystore -storetype JKS -dname "CN=localhost" -keypass keyPass -storepass storePass ``` 2. create spring config: demo.yml ```yaml server: port: 8443 ssl: enabled: true key-alias: demo key-store: "/your/path/to/demo.keystore" key-store-type: jks key-store-password: storePass key-password: keyPass ``` 3. java -jar demo-0.0.1-SNAPSHOT.jar --spring.config.location=demo.yml 4. repeat 1.5 5. visit https://localhost:8443 with username user and generated password, ignore self-signed certificate warning. 6. ![](https://i.imgur.com/6AwnbPB.png) 4. alternative: war + tomcat + nginxproxy ??? 1. same as 1.1, but Packaging as War 2. same as 1.2, 2.1, 2.2, 1.3 3. docker run -d --name tomcat -p 8080:8080 -v ./target/demo-0.0.1-SNAPSHOT.war:/usr/local/tomcat/webapps/demo-0.0.1-SNAPSHOT.war tomcat:10.1.7-jdk17-temurin-jammy 4. docker logs tomcat | grep "generated security" 5. visit http://localhost:8080/demo-0.0.1-SNAPSHOT/ with username user and generated password, same as 2.4 6. docker stop tomcat; docker rm tomcat 7. create docker-compose.yml ```yaml version: '2' services: proxy: image: nginxproxy/nginx-proxy ports: - "443:443" volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs tomcat: image: tomcat:10.1.7-jdk17-temurin-jammy expose: - "8080" environment: - VIRTUAL_HOST=david.gss.com.tw - VIRTUAL_PORT=8080 volumes: - ./target/demo-0.0.1-SNAPSHOT.war:/usr/local/tomcat/webapps/demo-0.0.1-SNAPSHOT.war ``` 8. prepare ./certs/david.gss.com.tw.crt ./certs/david.gss.com.tw.key 9. notepad C:\Windows\System32\drivers\etc\hosts add 127.0.0.1 david.gss.com.tw 10. visit https://david.gss.com.tw/demo-0.0.1-SNAPSHOT/